The consumer protection group has called for retailers to take smart toys off retail shelves if they’ve got “proven security or privacy issues”.

“We’re calling for smart toys to be made secure, or taken off sale entirely,” Which? said on Tuesday.

Which? singles out four smart toys that it and other researchers have found “concerning vulnerabilities” that could expose children to spying, tracking or a stranger communicating with them. It notes the bugs can be exploited by anyone, not just professional hackers.

The group approached all major toy retailers to raise their concerns over the products and also filed reports with UK Government child protection agencies and the UK’s National Cyber Security Centre.

Which? asked UK security firm ContextIS to probe a Furby Connect, a Bluetooth-connected smart toy made by US toy giant Hasbro. ContextIS used elements of a project by Florian Euchner that explores a Furby Connect’s microcontrollers for controlling its movements and displaying animations on its LCD eyes.

ContextIS used the work to explore potential security vulnerabilities. It says the toy didn’t implement available Bluetooth security technologies such as requiring authentication for pairing or encrypting links between it and phones it connects with. This would allow anyone with a phone with the Furby Connect Wold app installed to connect to the toy and communicate with it.

The firm was able to display custom graphics and animations on the toy’s eyes using the Bluetooth weaknesses. It also found the toy doesn’t require firmware updates to be digitally signed by the manufacturer, which could allow an attacker to install a malicious firmware update.

Hasbro told Which? that Furby Connect and the Furby app didn’t collect personally identifiable information such as a user name, address or email address. It also doesn’t allow users to create profiles and doesn’t record users voices or use a phone’s microphone.

This suggests at least Furby Connect users don't face the same risks as users of CloudPets, whose user names and recorded messages were stored on an unsecured database.

Which?’s alert warns consumers about toys that other researchers and consumer protection groups have found security flaws in, including the I-Que Intelligent Robot, Cayla talking doll, CloudPets, and Toy-fi Teddy.

Germany’s telecommunications authority earlier this year called on parents to render Cayla harmless after finding it was a concealed surveillance device under local laws.

Which?’s petition echoes last year’s call by the Norwegian Consumer Council for updated consumer product safety regulations to ensure data security and privacy is considered equally as important as physical safety.

The FBI recently published an advisory containing a lengthly list of what parents should do “at a minimum” prior to using internet-connected toys. Satisfying the checklist could make non-technical parents think twice about the effort involved in buying a connected toy and ensuring a child could use it safely.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.